Hundreds of WordPress themes and plugins that make use of the Genericons package, could be vulnerable to a DOM-based XSS vulnerability affecting millions of WordPress installations. Genericons are versatile vector icons embedded in a webfont from Automattic (the creators of WordPress). The vulnerability resides in the examples.html file included in the Genericons package by default.

Themes and plugins affected include the default Twenty Fifteen theme that is installed by default on all WordPress installations and the JetPack Plugin, another very popular WordPress plugin (over 1 million active installs) by Automattic.

Fortunately, fixing this vulnerability is as simple as removing the unnecessary genericons/example.html file from your plugin or theme. WordPress 4.2.2 will proactively scan the wp-content directory for the Genericon HTML file and it is removed if found.

WordPress 4.2.2 also improves on a WordPress 4.2.1 Critical XSS Release and also includes includes hardening for a potential Cross-site scripting vulnerability when using WordPress’ Visual editor.

Acunetix can already detect WordPress installations affected by this vulnerability. If you are using Acunetix WVS, you will need to install the update from Help > Check for Updates. Acunetix OVS has been updated to detect the vulnerability.

Genericons DOM-based XSS Vulnerability

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.